831 config - port forwarding all but IPv6 (protocol 41)

owen914914 · ‎06-22-2008

Hi,

I have an 831 on an Internet connection with a single static IP and running NAT. I'm trying to configure it to terminate an IPv6 tunnel and then port forward all other incoming traffic to a specific internal host. I've tried:

ip nat inside source static 192.168.0.2 <external ip>

..and this forwards everything internally to 192.168.0.2 but the problem is that it also forwards the protocol 41 packets right through so the tunnel defined on the 831 doesn't even see them. I need to forward a ton of TCP ports as well as IPSec traffic so I'm trying to avoid a bunch of individual statements like this:

ip nat inside source static tcp 192.168.0.1 80 <external ip> 80

Does anyone know if this is possible? Can I somehow tell it to ignore the static NAT rule if the traffic is protocol 41? Or if the source address is the IPv6 tunnel endpoint?

Thanks,

Owen

hennigan · ‎06-22-2008

Use an extended access-list to deny protocol 41, then either reference that list in your NAT statement or in a route-map.

ip access-list extended no-ipv6

deny 41 any any

permit ip any any

--or--

ip access-list extended no-ipv6-host

deny 41 host 192.168.0.1 host

permit ip host 192.168.0.1 host

Or just deny the tunnel endpoint by host address for all protocols.